Malicious NuGet package activity targeting ASP.NET Identity
Malware Activity
Summary
Hide ▲
Show ▼
Four malicious NuGet packages were uncovered that exfiltrate ASP.NET Identity data and create persistent backdoors, putting deployed ASP.NET applications at risk. The packages were published between August 12 and 21, 2024 and later removed after responsible disclosure. One package, NCryptYo, staged a localhost:7152 proxy to relay traffic to attacker-controlled infrastructure. The companion packages, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_, added theft, file-writing, and hidden execution capabilities.
Related Happenings
Postcss-minify-selector-parser Windows RAT delivery chain
Malware Activity
H score29
First: 23.06.2026 18:00
Last: 23.06.2026 18:00
Sources 1
About this happening:
The **postcss-minify-selector-parser** npm package delivered a **multi-stage Windows RAT**, creating a supply-chain path onto **developer machines** and exposing **browser logins*...
Postcss-minify-selector-parser Windows RAT delivery chain
Malware ActivityAbout this happening: The **postcss-minify-selector-parser** npm package delivered a **multi-stage Windows RAT**, creating a supply-chain path onto **developer machines** and exposing **browser logins*...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Inactive maintainer account 'atiertant' hit by network compromise
Incident
H score13
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
H score34
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Timeline
-
25.02.2026 14:43 2 articles · 4mo ago
Malicious NuGet packages target ASP.NET Identity
Initial DisclosureFour NuGet packages—NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_—were published between August 12 and 21, 2024 by hamzazaheer and later removed after responsible disclosure. The packages targeted ASP.NET web application developers by exfiltrating ASP.NET Identity data, including user accounts, role assignments, and permission mappings, while manipulating authorization rules to create persistent backdoors in victim applications; NCryptYo masqueraded as NCrypto and staged a localhost:7152 proxy to relay traffic to attacker-controlled C2, DOMOAuth2_ and IRAOAuth2.0 forwarded Identity data through that proxy, and SimpleWriter_ added unconditional file writing and hidden process execution.
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43